Education Sector Threat Analysis

The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyber-attacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom.

Across America, the educational sector is experiencing a significant increase in cyberattacks, which was exacerbated during the transition to remote and virtual learning as a result of the COVID-19 pandemic. Malicious cyber actors are targeting school computer systems, slowing access, and rendering the systems inaccessible to basic functions. Students are spending more time online than ever before, using technology to complete homework, communicate with peers, and engage with teachers and school staff. As we become more depended on technology, cybercriminals are becoming more advanced and evolving their cyberattacks techniques, and they will continue to target universities and school districts as many of them do not have adequate resources, funding, or staffing to properly protect and defend their networks. The education sector – as with other sectors – cannot rely on only IT staff to help defend against these threats; all users have a responsibility to become more aware and educated on how to avoid cyberattacks. It is important for school staff, parents, guardians, and students to stay safe online by taking proactive steps to defend against risks and strengthen cybersecurity both at home and within educational institutions.

The education sector remained the most targeted sector in 2022. According to Check Point’s 2022 Mid-Year Report, “The education sector experienced a 44 percent increase in cyber-attacks when compared to 2021, with an average of 2297 attacks against organizations every week.” Unlike other networks, school networks are often more difficult to secure due to its wide userbase of faculty, staff, and students. As the use of technology within the classroom is increasingly required for educational purposes, more schools are implementing Bring Your Own Device (BYOD) policies, allowing students and employees to connect their personal computers, tablets, and mobile phones to their networks. Unfortunately, if BYOD is not implemented with security in mind, schools could be exposing their networks and sensitive data to an increased risk of compromise created by vulnerable and infected devices. According to Emsisoft, the education sector continues to experience ransomware attacks, with at least 1,043 schools affected by ransomware in 2021. This statistic breaks down to 62 school districts and 26 colleges and universities. In 2022, higher education institutions continued to be targeted by ransomware gangs. In March and April, BlackCat deployed ransomware against North Carolina A&T State University and Florida International University, and in April Austin Peay State University was also impacted by a ransomware attack. Some of these incidents disrupted the application process, operations, and classes, with some having to close.

Recent Incidents

January 2022: Albuquerque US Public Schools had to cancel classes after they were hit by a cyber-attack that compromised the student information system. This event follows a ransomware attack that impacted multiple government services across Bernalillo County. 

March 2022: Altoona Area School District in Pennsylvania shared that the district had suffered an attack on their server in December 2021 and in March 2022, the district administration was contacted by employees saying their credit monitoring services had been in touch to advise that their Social Security numbers or medical identification numbers were found on fraudulent trading websites on the Dark Web. Hackers posted 10 gigabytes of information included students' birth dates and addresses.

May 2022: Lincoln College in Illinois closed down after 157 years since its founding following a irrecoverable blow to its finances from the COVID-19 pandemic and a recent ransomware attack.

May 2022: Regina Public Schools was forced to shut down all internet-based systems following a ransomware attack. According to the note appearing on the computers, 500GBs of files containing tax reports, health information, Social Security insurance, and passports were been copied and encrypted. The BlackCat gang claimed responsibility.

June 2022: A ransomware incident impacting Tenafly school district in New Jersey caused the cancellation of final exams as students and teachers were unable to access necessary files. The school was forced back to pre-internet instruction, relying on overhead projectors, and paper and pencils.

June 2022: Glenn County Office of Education in California was attacked by the Quantum ransomware gang that demanded a $1 million ransom. The gang was on a false impression that the county’s assets and cyber insurance was going to be enough to cover the demand; however, a ransom payment was negotiated and $400,000 was later sent to the cybercriminals.

September 2022: A ransomware attack caused significant disruption to the second largest school district in the USA, Los Angeles Unified (LAUSD). The district enrolls more than 640,000 students, from kindergarten through to 12th grade. Vice Society claimed responsibility for the attack and report that 500GBs of data was stolen.

November 2022: classes across Jackson and Hillsdale counties in Michigan were canceled for three days due to a ransomware attack. The incident resulted in a system outage impacting a wide range of building operations including heating, telephone, and classroom technology. The school district restored essential systems allowing classes to commence and are in the early stages of investigations, which include assistance from the FBI.

 

Common Attack Types in the Education Sector

Data breaches: The main reason data breaches happen is due to human error, either by stolen or weak credentials or through social engineering tactics. A data breach happens when an unauthorized person gets access to protected information such as dates of birth, Social Security numbers, banking information, and medical records. Data breaches can have a devastating impact on students, teachers, and staff.

Phishing: Attackers go to great lengths to ensure that their emails appear as legitimate as possible, for a phishing attack to be successful. These emails most contain links that direct target recipients to an attacker-controlled website that delivers malware or steals user credentials. Such an attack can lead to more sophisticated attacks such data breaches, malware or ransomware attacks. 

Ransomware attacks: A ransomware attacks is financially motivated. It generally aim to damage and steal from a information system or server by targeting vulnerabilities within the network. Furthermore, the use of external devices and the absence of anti-virus software protection facilitates the task of the hacker. Such attacks can cause a lot of damage to schools because they disrupt key computer systems and school operations, and, more importantly, put at risk student data and safety. Ransomware is often spread through phishing emails that contain malicious attachments.

Business email compromise (BEC) scams: Involving the use of email to scam school business officials and staff members out of sensitive information and large amounts of money, including by issuing fake invoices to districts, by redirecting authorized electronic payments to bank accounts controlled by criminals, and by stealing W-2 tax information of district employees. 

Denial of service (DoS) attacks: Intended to make school IT resources unavailable to students and staff by temporarily disrupting their normal functioning.

Website and social media defacement: Involving unauthorized changes such as posting inappropriate language and images to a school website or official social media account.

Online class and school meeting disruption:  Involves unauthorized access to online classes and meetings for the purpose of disruption. Invaders usually share hate speech, sharing via shocking images, sounds, and videos and threats of violence. Despite the attention drawn to these incidents and availability of advice on how to defend against them school districts continued to fall prey to these incidents.

Email compromises:  Involving the compromise of a school district’s email systems by unauthorized individuals for the purpose of bulk sharing of or links to disturbing images, videos, hate speech, and/or threats of violence to members of the school community.

 

Recommendations

At minimum, the education sector is advised to implement the following to strengthen cyber resiliency:

• Consider cyber insurance: Cybersecurity insurance protects businesses against computer-related crimes and losses. This can include targeted attacks, such as malware and phishing, as well as the occasional misplaced laptop containing confidential material.

• Patching and updating: Staff must install critical updates as soon as they are available. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.

• Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.

• Use strong passwords: Use at least 12 characters, with a mix of numbers, symbols, and capital letters in the middle of the password. Never use the same password for more than one account or for personal and business accounts. Consider using a password manager, an easy-to-access application that stores all valuable password information in one place. Do not share passwords on the phone, in texts, or by email. Implement the shortest acceptable time frame for password changes.

• Enable MFA: Use multi-factor authentication (MFA) where possible. Also known as two-factor or two-step verification, this security feature requires the combination of at least two of three factors – something you know, something you have, or something you are. Oftentimes, MFA will use a password and either a code or biometric to fulfill MFA requirements to log in to an account. MFA protects accounts even if a password is compromised.

• Ensure physical security of devices: Do not leave laptops, phones, or other devices unattended in public or even in a locked car. They may contain sensitive information and should be protected against falling into the wrong hands. Turn on device encryption to encrypt all data on each device and reduce the risk to sensitive information in case the device is stolen or misplaced.

• Think before clicking or sharing information: Every time someone asks for business information, whether in an email, text, phone call, or web form, think about whether the request is trustworthy. Scammers will say or do anything to get account numbers, credit card numbers, Social Security numbers, or other sensitive information. Scammers will rush, pressure, or threaten to get targets to give up company information. Do not click any links in emails, as this can lead to credential compromise or malware installation.

• Only give sensitive information over encrypted websites: If a company is banking or buying online, stick to sites that use encryption to protect information as it travels from a computer to the server. Look for “https” at the beginning of the web address in the browser’s address bar, as well as on every page of the site being visited – not just the login page.

• Secure wireless networks: Unsecured routers could easily allow strangers to gain access to sensitive personal or financial information on devices. Users are advised to change their router’s name and password from the default to something unique that only they know. Keep router software up to date and turn off any “remote management” features, which hackers can use to get into the network. Once router setup is complete, log out as administrator to lessen the risk of someone gaining control of the account. Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a virtual private network.

• Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job descriptions and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.

• Catalog and reduce system dependencies: Critical systems dependencies, such as third-party vendors and processes, should be identified and minimized where possible.

• Encryption: Devices should implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices, and this includes protection from side channel attacks that can compromise encryption keys. 

• Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.

• Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing to certified devices that follow strict security standards.

• Vulnerability management: All organizations are encouraged to implement vulnerability management policies that include vulnerability assessments, a patch management plan, and penetration testing audits, where feasible, on a regular basis to maintain an understanding of an organization’s risk posture.

• Network segmentation: All facilities must deploy proper network segmentation, with DMZ configured and network isolation to protect critical systems. Whenever possible, any industrial control systems should not share the same network with internet-accessible devices.

• Cybersecurity plans: Implement various cybersecurity plans, including continuity of operations plans (COOPs), incident response, disaster recovery, and a data backup plan in which multiple data copies are kept in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update all cybersecurity plans at regular intervals.

• External email tags: Consider adding an email banner to messages originating outside the organization and disabling hyperlinks in email sent from external accounts.